Upgrading SharePoint apps from Azure Access Control service to Azure Active Directory

Microsoft Community Learning

30 Mar 202312:02

Summary

TLDRThis video script explains the transition from Access Control Services (ACS) to Azure Active Directory (Azure AD) for applications interacting with SharePoint Online. It demonstrates how to upgrade existing solutions, create a new Azure AD application, and authenticate using an X509 certificate, ultimately enabling granular permission control and modern development techniques.

Takeaways

😀 Microsoft retired ECS (External Content Services) in November 2018, and it is recommended to upgrade to Azure Active Directory for new solutions.
🔒 ACS is an old authentication model based on ADIN, which is outdated. Modern development should rely on Azure Active Directory for application registration.
📈 Azure Active Directory allows for granular selection of permissions, such as resource-specific permissions, for consuming SharePoint Online sites or content.
📝 To upgrade from ACS to Azure AD, create a new Azure Active Directory application, generate an X509 certificate for authentication, and configure API permissions.
🔄 Refactor code from using ACS client ID and secret to Azure AD Open Authorization and a client ID with a certificate.
📑 Demonstrated how to register an application in Azure ACS through the SharePoint Online tenant page, obtaining a client ID, client secret, and configuring permissions.
💻 Showed an example of a C# application using the PMP framework to interact with SharePoint Online, including reading a document library title and uploading a document.
🔑 Explained how to register a new application in Azure AD using PMP PowerShell, generating a self-signed certificate and associating it with the application.
📋 Discussed how to grant permissions to the newly registered application in Azure AD, specifying the tenant and user credentials for authentication.
🔗 Provided a step-by-step guide on how to consume SharePoint Online using an Azure AD registered application, including reading a document library title and uploading a document.
🔄 Highlighted the process of registering the application image and using the authentication manager with the certificate, client ID, and tenant ID to authenticate and interact with SharePoint Online.

Q & A

What is the primary reason for upgrading from Access Control Services (ACS) to Azure Active Directory (Azure AD)?
-The primary reason for upgrading from ACS to Azure AD is that ACS is an older service based on an outdated development model. Microsoft retired ECS in November 2018 and recommends using Azure AD for new solutions and upgrading existing solutions to the newer model.
Why should new solutions not use Access Control Services (ACS)?
-New solutions should not use ACS because it is an outdated authentication model that is no longer supported for new development. Azure AD provides a more modern and secure approach to application authentication and access control.
What is the role of an X509 certificate in the context of SharePoint Online and Azure AD?
-An X509 certificate is used for app-only authentication with SharePoint Online. It is required to authenticate the application providing it with the necessary permissions to interact with SharePoint Online resources.
How can you create a new Azure AD application?
-You can create a new Azure AD application by registering it in the Azure portal, providing details such as the application name, redirect URI, and other necessary configurations.
What permissions are needed for an application to consume SharePoint Online?
-The application needs API permissions that allow it to access and manipulate SharePoint Online resources. These permissions can be configured during the application registration process in Azure AD.
How does the PMP framework help in developing applications that consume SharePoint Online?
-The PMP framework provides a set of packages and tools that accelerate the development process of applications that consume SharePoint Online. It helps manage configuration settings and streamlines the authentication process.
What is the purpose of the app settings JSON file in the provided example?
-The app settings JSON file in the example is used to store configuration settings for the application, such as the site URL, list ID, client ID, client secret, and other necessary details for connecting to SharePoint Online.
How can you upgrade an existing ACS-registered application to use Azure AD?
-To upgrade an existing ACS-registered application to use Azure AD, you need to create a new Azure AD application, generate an X509 certificate for authentication, configure the necessary API permissions, and refactor your code to use Azure AD authentication instead of ACS.
What is the significance of the tenant ID in the context of Azure AD application registration?
-The tenant ID is a unique identifier for the Azure AD tenant where the application is registered. It is used to associate the application with the correct Azure AD tenant and manage permissions and access control.
How does the authentication manager instance help in accessing SharePoint Online resources?
-The authentication manager instance, created using the client ID, certificate, and tenant ID, facilitates the authentication process with Azure AD. It enables the application to obtain a client context that can be used to access and manipulate SharePoint Online resources.